The smaller the trust surface, the smaller the failure surface.

Most security incidents in this market originate from controls the operator never should have shipped. We chose not to ship them.

• No admin keys. Every contract is deployed without owner / governor / multisig roles. There is no address that can pause trading, drain LP, mint new supply, or upgrade implementation. renounceOwnership() is not a feature — it is the default.
• No proxy / upgrade path. Every contract is a final-bytecode deployment. No delegatecall to a mutable implementation. The bytecode at the deployed address today is the bytecode forever.
• No pause mechanism. Even in an emergency, the operator cannot stop or censor a trade. If a vulnerability is discovered, the only mitigation is to publish the disclosure and let the market re-price; user assets remain reachable on-chain regardless.
• No custodial reserve. The backend holds zero key material. The operator's Ledger signs only its own treasury operations. User keys are derived from a passkey on the user's device via WebAuthn PRF — they never leave the browser.
• No off-chain fee path. All fees are split atomically inside the router multicall and routed to an immutable on-chain collector. No off-chain settlement, no IOU ledger, no rebate accrual that depends on the operator staying online.
• No issuer-dependent stablecoin in the fee sink. The collector sinks to LUSD, not USDC. Circle cannot freeze the operator's working capital. The trade-off is thinner liquidity, accepted deliberately.

Every entry above is the live bytecode at the address as of mainnet block 25 253 169 (June 5, 2026). The Founders Pass V2, Token Factory V3, Subscription V1, Treasury Sweeper V1 and LSR Airdrop contracts are Ownable with the owner set to the Operator Treasury EOA 0x791dA60B…0a120B73 — the Ledger-controlled address declared as Company property in the Operating Agreement Art. V §5.1. The Fee Collector LUSD and the LSR token are issued without an owner role at all (any call to owner() reverts), so there is no admin key to renounce or compromise. The Fee Collector's destination (TREASURY), stablecoin (STABLE = LUSD), wrapped-native (WETH) and DEX router (UNIV3_ROUTER) are all immutable Solidity slots set in the constructor — verified on-chain to be the Operator Treasury, Liquity LUSD, canonical WETH and Uniswap V3 SwapRouter02 respectively. A compromised operator key cannot redirect fees, change the stablecoin or swap in a malicious router. The LSR Airdrop contract is pre-funded with exactly 250,000,000 LSR (500 Passes × 500,000 LSR), claimable by holders via Merkle proof after the 500th mint; unclaimed tokens after the operator-set window recycle back to the Treasury per the published tokenomics. The Solidity source for every address is one click away on Sourcify (exact_match).

All seven addresses above are source-verified on the open, free, decentralised Sourcify registry — each match is recorded as exact_match, the strictest grade Sourcify issues (constructor args + metadata hash both line up). Open the Founders Pass V2 lookup and you see the Solidity source side-by-side with the on-chain bytecode — no “trust the deployment notes” step in the middle.

An Etherscan verification badge is the post-launch operator action; until it lands, Sourcify is the canonical trust signal. The bytecode-pinning table below makes the verification provider irrelevant — you can verify without trusting any third-party verifier.

For the spot-check from a terminal, the on-chain bytecode is one cast call away — no clone required:

cast code 0x6238B370E5cB9E06b6277aaDcf1307E30D3B212d \
  --rpc-url https://eth.llamarpc.com   # any mainnet RPC works
# The result is content-addressable, so future verifiers get the
# same bytes regardless of which RPC they ask.

For a deterministic spot-check, every contract's runtime-bytecode sha256 is pinned below. Each hash was taken at mainnet block 25 253 169 from a local Reth archive; non-upgradeable contracts are immutable, so the hash matches forever. Pipe cast code into sha256sum and the digest must match this table, line-for-line.

# Verify any row deterministically:
cast code <ADDRESS> --rpc-url <ANY_RPC> \
  | tr -d $'\n' \
  | sha256sum

Full 64-character digests, no abbreviation: 90a31ac84e2a6c891800fad78c16e93c0397ad05be0b86940b1ff08c09cb59b2 · 210b2477d84bcd6eeb68f7dd56fa64454e9e101215f50c1460419a596c991ab7 · 5fda22d17b17d6c8df73d66cc06f896e5e1fdccdfed23624dabcdf0de0a678e3 · df6f1e911198ab65cd5e4f0c4f9ac9b3fc78fb7f145518a934293c6b839ec232 · b38b3942791a4e49523027091507b3e49eb77a609487f2209113713588c7e521 · acd8cf2c77a2c545d846b1ce0b89780a6d684901bcbf6bb37e608a47b5b70e3b.

If you find a source-vs-bytecode mismatch on any address above, that is a security incident. File it in-app under Settings · Support; the ticket is bound to your wallet, the reply lands as a push notification, and the operator reads every one.

A full source repository mirror is part of the post-launch transparency roadmap; until then the Sourcify exact-match record is the canonical third-party artifact.

LOSURIA's launchpad contracts have not yet been audited by a third party. This is the truth, not a roadmap-deferred maybe. The current security model rests on three claims that anyone can verify without an audit:

• The contracts are immutable. There is no path for the operator to introduce a bug after deployment.
• The source matches the bytecode. Etherscan source-verification means any outside reviewer can read exactly what executes.
• The bug-class surface area is small. No admin keys means no key-leak scenario. No pause means no censoring fork. No upgrade means no rug-by-implementation-swap.

A formal third-party Tier-1 audit will be funded post-revenue, with the report published whether the findings are flattering or not. Until that report exists, please verify against the source yourself rather than relying on a logo.